Synopses & Reviews
Your in-depth, hands-on, technical security-testing reference. Written for testers by testers, this guide highlights up-to-date tools, technologies, and techniques for helping find and eliminate security vulnerabilities in software. Finding security flaws is now a fundamental development task, yet there has not been adequate documentation of the process used to find security bugs--until now. Before the Internet, computers were deployed in trusted environments and software development and testing practices emphasized functionality over security. As networking technologies emerged, though, times changed and people began to connect their computers together, instead of deploying in silos. However, development and testing practices did not account for attacks that could be mounted over networks. The material currently available does not provide much practical guidance and the instructions given often fail to cultivate the right mindset and approach to enable people to successfully identify security issues before the software is published. This in-depth, technical reference highlights up-to-date tools, technologies, and techniques for helping find and eliminate vulnerabilities in software. Written for testers by testers, it delivers practical, hands-on guidance on how to find, classify, and assess bugs. In addition, this book covers the thought process behind security testing, use of source code to help in testing, and ways to spot security design flaws.
Learn how to think like an attacker—and identify potential security issues in your software. In this essential guide, security testing experts offer practical, hands-on guidance and code samples to help you find, classify, and assess security bugs before your software is released.
Discover how to:
- Identify high-risk entry points and create test cases
- Test clients and servers for malicious request/response bugs
- Use black box and white box approaches to help reveal security vulnerabilities
- Uncover spoofing issues, including identity and user interface spoofing
- Detect bugs that can take advantage of your program’s logic, such as SQL injection
- Test for XML, SOAP, and Web services vulnerabilities
- Recognize information disclosure and weak permissions issues
- Identify where attackers can directly manipulate memory
- Test with alternate data representations to uncover canonicalization issues
- Expose COM and ActiveX repurposing attacks
PLUS—Get code samples and debugging tools on the Web
In this essential guide, security testing experts offer practical, hands-on guidance and code samples to help find, classify, and assess security bugs before software is released.
About the Author
Tom Gallagher is the lead of the Microsoft® Office Security Test team, where he focuses on penetration testing, writing security testing tools, and providing security education.
Bryan Jeffries is a software engineer responsible for driving security testing on Microsoft® SharePoint® Products and Technologies.
Lawrence Landauer is a software engineer at Microsoft® where he works on coding, testing, and training projects related to security, personal productivity, and deployment.
Table of Contents
Dedication; Foreword; Introduction; Who Is This Book For?; Organization of This Book; System Requirements; Technology Updates; Code Samples and Companion Content; Support for This Book; Acknowledgments; Chapter 1: General Approach to Security Testing; 1.1 Different Types of Security Testers; 1.2 An Approach to Security Testing; 1.3 Summary; Chapter 2: Using Threat Models for Security Testing; 2.1 Threat Modeling; 2.2 How Testers Can Leverage a Threat Model; 2.3 Data Flow Diagrams; 2.4 Enumeration of Entry Points and Exit Points; 2.5 Enumeration of Threats; 2.6 How Testers Should Use a Completed Threat Model; 2.7 Implementation Rarely Matches the Specification or Threat Model; 2.8 Summary; Chapter 3: Finding Entry Points; 3.1 Finding and Ranking Entry Points; 3.2 Common Entry Points; 3.3 Summary; Chapter 4: Becoming a Malicious Client; 4.1 Client/Server Interaction; 4.2 Testing HTTP; 4.3 Testing Specific Network Requests Quickly; 4.4 Testing Tips; 4.5 Summary; Chapter 5: Becoming a Malicious Server; 5.1 Understanding Common Ways Clients Receive Malicious Server Responses; 5.2 Does SSL Prevent Malicious Server Attacks?; 5.3 Manipulating Server Responses; 5.4 Examples of Malicious Response Bugs; 5.5 Myth: It Is Difficult for an Attacker to Create a Malicious Server; 5.6 Understanding Downgrade MITM Attacks; 5.7 Testing Tips; 5.8 Summary; Chapter 6: Spoofing; 6.1 Grasping the Importance of Spoofing Issues; 6.2 Finding Spoofing Issues; 6.3 General Spoofing; 6.4 User Interface Spoofing; 6.5 Testing Tips; 6.6 Summary; Chapter 7: Information Disclosure; 7.1 Problems with Information Disclosure; 7.2 Locating Common Areas of Information Disclosure; 7.3 Identifying Interesting Data; 7.4 Summary; Chapter 8: Buffer Overflows and Stack and Heap Manipulation; 8.1 Understanding How Overflows Work; 8.2 Testing for Overruns: Where to Look for Cases; 8.3 Black Box (Functional) Testing; 8.4 White Box Testing; 8.5 Additional Topics; 8.6 Testing Tips; 8.7 Summary; Chapter 9: Format String Attacks; 9.1 What Are Format Strings?; 9.2 Understanding Why Format Strings Are a Problem; 9.3 Testing for Format String Vulnerabilities; 9.4 Walkthrough: Seeing a Format String Attack in Action; 9.5 Testing Tips; 9.6 Summary; Chapter 10: HTML Scripting Attacks; 10.1 Understanding Reflected Cross-Site Scripting Attacks Against Servers; 10.2 Understanding Persistent XSS Attacks Against Servers; 10.3 Identifying Attackable Data for Reflected and Persistent XSS Attacks; 10.4 Common Ways Programmers Try to Stop Attacks; 10.5 Understanding Reflected XSS Attacks Against Local Files; 10.6 Understanding Script Injection Attacks in the My Computer Zone; 10.7 Ways Programmers Try to Prevent HTML Scripting Attacks; 10.8 Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files; 10.9 Identifying HTML Scripting Vulnerabilities; 10.10 Finding HTML Scripting Bugs Through Code Review; 10.11 Summary; Chapter 11: XML Issues; 11.1 Testing Non-XML Security Issues in XML Input Files; 11.2 Testing XML-Specific Attacks; 11.3 Simple Object Access Protocol; 11.4 Testing Tips; 11.5 Summary; Chapter 12: Canonicalization Issues; 12.1 Understanding the Importance of Canonicalization Issues; 12.2 Finding Canonicalization Issues; 12.3 File-Based Canonicalization Issues; 12.4 Web-Based Canonicalization Issues; 12.5 Testing Tips; 12.6 Summary; Chapter 13: Finding Weak Permissions; 13.1 Understanding the Importance of Permissions; 13.2 Finding Permissions Problems; 13.3 Understanding the Windows Access Control Mechanism; 13.4 Finding and Analyzing Permissions on Objects; 13.5 Recognizing Common Permissions Problems; 13.6 Determining the Accessibility of Objects; 13.7 Other Permissions Considerations; 13.8 Summary; Chapter 14: Denial of Service Attacks; 14.1 Understanding Types of DoS Attacks; 14.2 Testing Tips; 14.3 Summary; Chapter 15: Managed Code Issues; 15.1 Dispelling Common Myths About Using Managed Code; 15.2 Understanding the Basics of Code Access Security; 15.3 Finding Problems Using Code Reviews; 15.4 Understanding the Issues of Using APTCA; 15.5 Decompiling .NET Assemblies; 15.6 Testing Tips; 15.7 Summary; Chapter 16: SQL Injection; 16.1 Exactly What Is SQL Injection?; 16.2 Understanding the Importance of SQL Injection; 16.3 Finding SQL Injection Issues; 16.4 Avoiding Common Mistakes About SQL Injection; 16.5 Understanding Repurposing of SQL Stored Procedures; 16.6 Recognizing Similar Injection Attacks; 16.7 Testing Tips; 16.8 Summary; Chapter 17: Observation and Reverse Engineering; 17.1 Observation Without a Debugger or Disassembler; 17.2 Using a Debugger to Trace Program Execution and Change its Behavior; 17.3 Using a Decompiler or Disassembler to Reverse Engineer a Program; 17.4 Analyzing Security Updates; 17.5 Testing Tips; 17.6 Legal Considerations; 17.7 Summary; Chapter 18: ActiveX Repurposing Attacks; 18.1 Understanding ActiveX Controls; 18.2 ActiveX Control Testing Walkthrough; 18.3 Testing Tips; 18.4 Summary; Chapter 19: Additional Repurposing Attacks; 19.1 Understanding Document Formats That Request External Data; 19.2 Web Pages Requesting External Data; 19.3 Understanding Repurposing of Window and Thread Messages; 19.4 Summary; Chapter 20: Reporting Security Bugs; 20.1 Reporting the Issue; 20.2 Contacting the Vendor; 20.3 What to Expect After Contacting the Vendor; 20.4 Public Disclosure; 20.5 Addressing Security Bugs in Your Product; 20.6 Summary; Tools of the Trade; General; ActiveX/COM; Canonicalization; Code Analysis; Debugging; Documents and Binaries; Fuzzers; Memory/Runtime; Network; Permissions; SQL; Security Test Cases Cheat Sheet; Network Requests and Responses; Spoofing; Information Disclosures; Buffer Overflows; Format Strings; Cross-Site Scripting and Script Injection; XML; SOAP; Canonicalization Issues; Weak Permissions; Denial of Service; Managed Code; SQL Injection; ActiveX; ; Tom Gallagher; Bryan Jeffries; Lawrence Landauer;